Version 10.22.1 'Dubnium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
Version 10.22.0 'Dubnium' (LTS)
Notable changes
deps:
* upgrade npm to 6.14.6
* upgrade openssl sources to 1.1.1g
n-api:
* add napi_detach_arraybuffer
As of the last updates to each of these, made earlier this month, they
now require nghttp2>=1.41.0 to build. They expect
nghttp2_option_set_max_settings to be available.
Version 10.21.0 'Dubnium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
Commits
- deps: fix OPENSSLDIR on Windows
- deps: backport ICU-20958 to fix CVE-2020-10531
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
Version 10.20.1 'Dubnium'
Notable changes
Due to release process failures, Node.js v10.20.0 shipped with source and header tarballs that did not properly match the final release commit that was used to build the binaries. We recommend that Node.js v10.20.0 not be used, particularly in any applications using native add-ons or where compiling Node.js from source is involved.
Node.js v10.20.1 is a clean release with the correct sources and is strongly recommended in place of v10.20.0.
Version 10.20.0 'Dubnium'
macOS package notarization and a change in builder configuration
The macOS binaries for this release, and future 10.x releases, are now being compiled on macOS 10.15
Notable changes
buffer: add {read|write}Big[U]Int64{BE|LE} methods
build: macOS package notarization
deps:
update npm to 6.14.3
upgrade openssl sources to 1.1.1e
upgrade to libuv 1.34.2
n-api:
add napi_get_all_property_names
add APIs for per-instance state management
define release 6
turn NAPI_CALL_INTO_MODULE into a function
tls:
expose keylog event on TLSSocket
support TLS min/max protocol defaults in CLI
url: handle quasi-WHATWG URLs in urlToOptions()
Version 13.10.0 (Current):
Notable Changes
async_hooks
- introduce async-context API
stream
- support passing generator functions into pipeline()
tls
- expose SSL_export_keying_material
vm
- implement vm.measureMemory() for per-context memory measurement
Version 10.19.0 'Dubnium' (LTS):
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
Moved nodejs to nodejs10 - version 10.17.0
Version 12.13.1 'Erbium' (LTS):
Notable changes
Experimental support for building Node.js with Python 3 is improved.
ICU time zone data is updated to version 2019c. This fixes the date offset in Brazil.
